MS closed 17 vulnerabilities yesterday, including DLL Preloading / Hijacking and the last unclosed vulnerability from the Stuxnet worm
MS released a large number of patches yesterday, many of these vulnerabilities have been known for more than a month. And some of them have already been used with might and main in malicious programs, and from where the information about them was obtained.
MS10-090 (IE) is a comprehensive patch package covering a whole bunch of gaps (CVE-2010-3340, CVE-2010-3342, CVE-2010-3343, CVE-2010-3345, CVE-2010-3346, CVE-2010- 3348, CVE-2010-3962). Most of these nice vulnerabilities allow remote code execution under IE6 / IE7 / IE8.
MS10-091 (Opentype Font driver) - this update also closes a whole bunch of vulnerabilities (CVE-2010-3956, CVE-2010-3957, CVE-2010-3959) in Opentype Font driver (OTF), which can lead to remote code execution . An attacker can create a specially prepared OpenType font on the network balloon and, when viewed in Windows Explorer, arbitrary code is executed that will be executed with system privileges.
MS10-092 (Task Scheduler) is the last unpatched vulnerability that remained from the Stuxnet worm and was used by it to raise local privileges to the system level on Vista / Win7. What is interesting is that the vulnerability is workable on x64 systems, too, and it has become used in the latest modifications of the TDL4 rootkit. A detailed description of the vulnerability is in the study from ESET " Stuxnet under the microscope " on page 39. By the way, the research team ( Aleksandr Matrosov , Eugene Rodionov , Juraj Malcho and David Harley ) who prepared this report added to this vulnerability sheet.
')
The DLL Preloading Issues ( MS10-093 , MS10-094 , MS10-095 , MS10-096 , MS10-097 ) is again a whole complex of patches, but one goal is to close vulnerabilities that allow the substitution of dynamic libraries during their loading. Some of these patches close this gap in standard applications such as windows Address Book or windows Movie Maker. But in MS10-095, a really serious flaw was fixed, which allows remotely execute arbitrary code when navigating a specially crafted WebDAV path and opening a file that is replaced with an arbitrary one. The first to demonstrate this method were the guys from Metasploit Ptoject, who provided open access to a working exploit back in August.
MS10-098 - the whole set of vulnerabilities was again closed (CVE-2010-3941, CVE-2010-3942, CVE-2010-3943, CVE-2010-3944), but this time for the kernel. All of them are designed to raise local privileges to the system level and are closed thanks to the researcher Tarjei Mandt from Norman. Some of them are described in detail in his blog .
In addition to the above, a number of the following vulnerabilities were also closed:
MS10-099 (Routing and Remote Access NDProxy component) - Elevation of Privilege
MS10-100 (Consent User Interface) - Elevation of Privilege
MS10-101 (Netlogon RPC Service) - Denial of Service
MS10-102 (Hyper-V) - Denial of Service
MS10-103 (Microsoft Publisher) - Remote Code Execution
MS10-104 (Microsoft SharePoint) - Remote Code Execution
MS10-105 (Microsoft Office Graphics Filter) - Remote Code Execution
MS10-106 (Microsoft Exchange) - Denial of Service
Thanks to the user systracer , for having paid attention to the fact that the CVE-2010-4398 vulnerability is still relevant. It is associated with a stack overflow due to SystemDefaultEUDCFont and allows you to raise privileges to the system level on a large number of platforms including x64 too.
MS10-090 (IE) is a comprehensive patch package covering a whole bunch of gaps (CVE-2010-3340, CVE-2010-3342, CVE-2010-3343, CVE-2010-3345, CVE-2010-3346, CVE-2010- 3348, CVE-2010-3962). Most of these nice vulnerabilities allow remote code execution under IE6 / IE7 / IE8.
MS10-091 (Opentype Font driver) - this update also closes a whole bunch of vulnerabilities (CVE-2010-3956, CVE-2010-3957, CVE-2010-3959) in Opentype Font driver (OTF), which can lead to remote code execution . An attacker can create a specially prepared OpenType font on the network balloon and, when viewed in Windows Explorer, arbitrary code is executed that will be executed with system privileges.
MS10-092 (Task Scheduler) is the last unpatched vulnerability that remained from the Stuxnet worm and was used by it to raise local privileges to the system level on Vista / Win7. What is interesting is that the vulnerability is workable on x64 systems, too, and it has become used in the latest modifications of the TDL4 rootkit. A detailed description of the vulnerability is in the study from ESET " Stuxnet under the microscope " on page 39. By the way, the research team ( Aleksandr Matrosov , Eugene Rodionov , Juraj Malcho and David Harley ) who prepared this report added to this vulnerability sheet.
')
The DLL Preloading Issues ( MS10-093 , MS10-094 , MS10-095 , MS10-096 , MS10-097 ) is again a whole complex of patches, but one goal is to close vulnerabilities that allow the substitution of dynamic libraries during their loading. Some of these patches close this gap in standard applications such as windows Address Book or windows Movie Maker. But in MS10-095, a really serious flaw was fixed, which allows remotely execute arbitrary code when navigating a specially crafted WebDAV path and opening a file that is replaced with an arbitrary one. The first to demonstrate this method were the guys from Metasploit Ptoject, who provided open access to a working exploit back in August.
MS10-098 - the whole set of vulnerabilities was again closed (CVE-2010-3941, CVE-2010-3942, CVE-2010-3943, CVE-2010-3944), but this time for the kernel. All of them are designed to raise local privileges to the system level and are closed thanks to the researcher Tarjei Mandt from Norman. Some of them are described in detail in his blog .
In addition to the above, a number of the following vulnerabilities were also closed:
MS10-099 (Routing and Remote Access NDProxy component) - Elevation of Privilege
MS10-100 (Consent User Interface) - Elevation of Privilege
MS10-101 (Netlogon RPC Service) - Denial of Service
MS10-102 (Hyper-V) - Denial of Service
MS10-103 (Microsoft Publisher) - Remote Code Execution
MS10-104 (Microsoft SharePoint) - Remote Code Execution
MS10-105 (Microsoft Office Graphics Filter) - Remote Code Execution
MS10-106 (Microsoft Exchange) - Denial of Service
Thanks to the user systracer , for having paid attention to the fact that the CVE-2010-4398 vulnerability is still relevant. It is associated with a stack overflow due to SystemDefaultEUDCFont and allows you to raise privileges to the system level on a large number of platforms including x64 too.
Source: https://habr.com/ru/post/110032/
All Articles